So if I’m reading this correctly that would seem to mean that all the thousands
(millions?) of pages with Java embedded are going to be relegated to IE only?
(And JAVA will finally DIE? Albeit a slow and lingering death.)
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.
From: [email protected] [mailto:[email protected]] On
Behalf Of Kurt Buff
Sent: Thursday, June 4, 2015 10:41 AM
To: ntsysadm
Subject: Re: [NTSysADM] Cryptlocker
Not Java specifically - the NPAPI interface.
So is Firefox, and so will Edge...
Kurt
On Thu, Jun 4, 2015 at 6:42 AM, Heaton, Joseph@Wildlife
<[email protected]<mailto:[email protected]>> wrote:
Interesting. I didn’t realize that Chrome was doing away with Java
functionality. Thanks for the update.
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]<mailto:[email protected]>]
On Behalf Of Kennedy, Jim
Sent: Thursday, June 04, 2015 5:12 AM
To: [email protected]<mailto:[email protected]>
Subject: RE: [NTSysADM] Cryptlocker
Demand for this in Chrome will dwindle to zero in September when there isn’t
any way to run Java in Chrome. It’s already dwindling….we did not bypass the
block in the last patch for Chrome that disabled it.
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of James Rankin
Sent: Thursday, June 4, 2015 7:08 AM
To: [email protected]<mailto:[email protected]>
Subject: RE: [NTSysADM] Cryptlocker
OK, FSLogix confirm that currently the Java remediation only works with IE. You
can restrict other browsers on a process basis only currently, so you could
force Chrome or Firefox to a specific Java version by process, but not by URL.
However, support for other browsers is on the roadmap. Any customer demand
(probably someone coming along with 5000 users and wanting it to work in
Chrome) will “drive the roadmap forward”, i.e. they’ll do it ASAP if there’s a
big enough sale at the end of it ☺
Hope this helps,
JR
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of James Rankin
Sent: 03 June 2015 18:56
To: [email protected]<mailto:[email protected]>
Subject: RE: [NTSysADM] Cryptlocker
OK, I tried to test with Chrome and found out that Chrome has disabled just
about all the plugins from the websites I was using for testing ☹
Waiting for an answer from FSLogix support as I now have to put the kids in the
bath!
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Jonathan Link
Sent: 03 June 2015 18:44
To: [email protected]<mailto:[email protected]>
Subject: Re: [NTSysADM] Cryptlocker
Probably not pants.
On Wed, Jun 3, 2015 at 12:26 PM, James Rankin
<[email protected]<mailto:[email protected]>> wrote:
Let me get you an answer on that…maybe something I should have tested
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]<mailto:[email protected]>]
On Behalf Of Heaton, Joseph@Wildlife
Sent: 03 June 2015 17:22
To: '[email protected]<mailto:[email protected]>'
Subject: RE: [NTSysADM] Cryptlocker
So, it looks like FSLogix only works with IE? Is that true?
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of James Rankin
Sent: Tuesday, June 02, 2015 11:16 AM
To: [email protected]<mailto:[email protected]>
Subject: RE: [NTSysADM] Cryptlocker
OK, quick and dirty run-down, but I’m sure you can all get the gist of it
(hopefully!)
http://appsensebigot.blogspot.co.uk/2015/06/fslogix-first-look-1-managing-legacy-or.html
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Kurt Buff
Sent: 02 June 2015 17:38
To: ntsysadm
Subject: Re: [NTSysADM] Cryptlocker
Yes, please put up the link here when done.
Kurt
On Tue, Jun 2, 2015 at 8:43 AM, James Rankin
<[email protected]<mailto:[email protected]>> wrote:
I shall endeavour to finish this as soon as possible then!
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]<mailto:[email protected]>]
On Behalf Of Maglinger, Paul
Sent: 02 June 2015 16:12
To: '[email protected]<mailto:[email protected]>'
Subject: RE: [NTSysADM] Cryptlocker
Me too!
-Paul
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Sean Martin
Sent: Tuesday, June 02, 2015 10:07 AM
To: [email protected]<mailto:[email protected]>
Subject: Re: [NTSysADM] Cryptlocker
Definitely interested.
- Sean
On Jun 2, 2015, at 6:08 AM, James Rankin
<[email protected]<mailto:[email protected]>> wrote:
What you need is FSLogix Java Rules Manager, only allow the vulnerable Java
version to be seen when a specific URL is visited, otherwise – it’s invisible
to the user and OS, and the latest version is used.
I’m writing an article up on this today, if anyone’s interested in Java version
management (on a sysadmin list, who isn’t?)
☺
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Heaton, Joseph@Wildlife
Sent: 02 June 2015 14:51
To: '[email protected]<mailto:[email protected]>'
Subject: RE: [NTSysADM] Cryptlocker
Update Java? That’s just crazy talk. We’re still at 7u51, with no roadmap in
place to go any higher. Not my choice, btw, it is development issues with
Oracle.
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Ed Ziots
Sent: Saturday, May 30, 2015 10:48 AM
To: [email protected]<mailto:[email protected]>
Subject: RE: [NTSysADM] Cryptlocker
Nice.strategy
Ed
On May 29, 2015 9:31 AM, "Robert Strong"
<[email protected]<mailto:[email protected]>> wrote:
Ensure you have the latest patches installed for Java and Flash. Exploit kits
like Angler, Nuclear and Magnitude are starting to distribute Ransomware more
frequently via drive-by download attacks and malicious advertisements on common
websites.
We’ve had several ransomware incidents in the last few months all due to
unpatched systems. Host based detection is limited at best, but one thing I
have noticed in all incidents seen is that the malware typically uses
hxxp://ipinfo.io/ip<http://ipinfo.io/ip> to determine its public facing IP
address.
We have created correlation rules that detect users going to this domain via
our McAfee ESM SIEM, we then have an alarm that fires when that correlation
rule is seen and we can automatically apply an ePO tag to enforce a policy that
severely ‘disables’ the system (no R/W to network shares, restricted HTTP/HTTPS
going out). Our alarm also e-mails out some key characteristics about the
infected machine for easy identification by our IT Service Desk team.
Ransomware isn’t going away and it’s going to get worse. We’ve been able to
detect these IoC’s and have the issue remediated in under 7 minutes.
Cheers,
Rob Strong
Information Security Specialist
Equitable Life of Canada
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]<mailto:[email protected]>]
On Behalf Of David McSpadden
Sent: Thursday, May 28, 2015 7:17 PM
To: <[email protected]<mailto:[email protected]>>
Subject: Re: [NTSysADM] Cryptlocker
That's mine today.
What variant was yours
Sent from my iPhone
On May 28, 2015, at 7:14 PM, Heaton, Joseph@Wildlife
<[email protected]<mailto:[email protected]>> wrote:
We had that the other day. The files are getting encrypted, but the extensions
are not getting changed.
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Jonathan Link
Sent: Thursday, May 28, 2015 8:37 AM
To: [email protected]<mailto:[email protected]>
Subject: Re: [NTSysADM] Cryptlocker
The text files created should indicate the affected user with the Owner
attribute, no?
On Thu, May 28, 2015 at 11:30 AM, David McSpadden
<[email protected]<mailto:[email protected]>> wrote:
I am pretty sure I have pc with this on it in my network.
I have ran scans on workstations.
I still do not see it but I have the tell tale signs.
The HELP_DECRYPT files in network folders.
The word and excel files not being able to be opened etc.
How do I remove something that Trend is not seeing?
Nor Windows Endpoint protection?
David McSpadden
Systems Administrator
Indiana Members Credit Union
P: 317.554.8190<tel:317.554.8190> | F: 317.554.8106<tel:317.554.8106>
[Description: imcu email icon]<http://imcu.com/>
<image002.jpg><https://www.facebook.com/IndianaMembersCU> [Description:
twitter email icon] <https://twitter.com/IndMembersCU>
<image003.jpg>
<image004.png>
This e-mail and any files transmitted with it are property of Indiana Members
Credit Union, are confidential, and are intended solely for the use of the
individual or entity to whom this e-mail is addressed. If you are not one of
the named recipient(s) or otherwise have reason to believe that you have
received this message in error, please notify the sender and delete this
message immediately from your computer. Any other use, retention,
dissemination, forwarding, printing, or copying of this email is strictly
prohibited.
Please consider the environment before printing this email.
IMPORTANT NOTICE: Without the use of secure encryption, the Internet is not a
secure medium and privacy cannot be ensured. Internet e-mail is vulnerable to
interception, misuse and forging. Equitable cannot ensure the privacy and
authenticity of any information sent by way of the public Internet. Equitable
will not be responsible for any damages you may incur if you communicate
confidential and personal information to us over the Internet or if we
communicate such information to you at your request. This e-mail and any
attachments are confidential, may be covered by legal professional privilege or
exempt from disclosure under applicable law, and are intended for the addressee
only. If you are not the intended recipient, you are not authorized to and must
not disclose, copy, distribute or retain any or part of this e-mail and any
attachments without written permission of The Equitable Life Insurance Company
of Canada.
